Update: What Jennifer Lawrence can teach you about cloud security

By now, you have probably heard about the digital exposure, so to speak, of nude photos of as many as 100 celebrities, allegedly taken from their Apple iCloud backups (and, it appears, based on the image analysis done by some, from other cloud services). Some of the images were posted to the “b” forum on 4Chan. Over the last day, an alleged perpetrator has been exposed by redditors, although the man has declared his innocence. The mainstream media have leapt on the story and have gotten reactions from affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton.

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple "b-tards" claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach appears different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two-factor authentication would not have helped, if the attack was the one now being investigated.

Update: Apple has acknowledged the attack, but an Apple spokesperson claims that it was a "very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." Apple is encouraging users to use its two-factor authentication to prevent security-question based attacks on their accounts.

Because Apple and other devices automatically upload so much to the cloud, by default—including full phone backups, which, if an account is compromised, could be downloaded by an attacker onto another device—these personal cloud services are particularly dangerous. Their usability in terms of content management is poor at best—does anybody really know what's sitting in Apple's or Google's data stores from their phones? This, combined with ongoing threats like carefully-crafted phishing attacks and large-volume password cracking, makes it especially hard to protect mobile data in a world where everything on your phone is already on the Internet, protected only by your login credentials.

iBrute iForce iHack

Initial reports suggested that the breach of the celebrities’ iCloud accounts was made possible by a vulnerability in Apple’s Find My iPhone application programming interface. Proof-of-concept code for the exploit, called iBrute, allowed for brute-force password cracking of accounts. It was uploaded to GitHub on August 30, just a day before the breach occurred, as ZDNet’s Adrian Kingsley-Hughes noted. Apple patched the vulnerability early on September 1.

All the brute force attack did was test combinations of e-mail addresses and passwords from two separate “dictionary” files. It required knowledge (or good guesses) of the targets’ iCloud account e-mail addresses and a huge list of potential passwords. Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts—so the attacker was able to keep hammering away at targeted accounts until access was granted. Once successful, the attacker could then connect to iCloud and retrieve iPhone backups, images from the iOS Camera Roll, and other data.

But Apple claims that no flaw in its service was used for the attack. Instead, it was a much more low-tech attack—similar to previous celebrity cloud account hacks over the past few years, relying on either "phishing" account data through targeted, fake e-mails, or simply using public information to try to guess the password or security answer questions of a celebrity. This is an old 4Chan standby—the hack of Sarah Palin's Yahoo e-mail account, which was posted to 4Chan's "b" forum in 2008, also used public information on the target to obtain the password to the account.

Cloud abuse

Apple’s iCloud security (and that of other mobile cloud services) has been bruised and broken before, though most of the past attacks have been based on social engineering and use of publicly available information about the victims. Christina Aguilera, Scarlett Johansson, and other celebrities were hacked in 2011 by a Florida man who essentially guessed passwords or recovered them using personal details. He then set up forwarding addresses in their e-mail accounts to an account he controlled—allowing him to answer security confirmation e-mails and take control of their devices.

And then there’s the story of what happened to Wired’s Mat Honan in 2012: a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Caveat Selfor

Given how much of what is on smartphones is now automatically backed up to the cloud, anyone should take pause before disrobing before their smartphone camera—regardless of the phone operating system or how that image will be delivered to its intended audience. The security of all of these services is only as secure as the obscurity of the mother’s maiden name of the person you sent that picture to—or of the next zero-day flaw. And while two-factor authentication—which uses a code sent to your device, or a secret recovery key if the device is lost—will prevent an attacker from attempting to bluff through your security questions, it won't prevent an attacker who uses other means to obtain your password from gaining access to your cloud data, as Dan Goodin reported last year.

Apple’s iOS backs up your photos to iCloud by default if you configure an account. Android’s backup does the same, and Google Plus, Yahoo Flickr, and many other services offer to automatically sync your images to the cloud. Even if you don’t set one of these up for syncing, you never know what the person you send the picture to will do with them. Even “ephemeral” messaging applications like SnapChat, Glimpse, Wickr and the like don’t block people taking screen captures of the image—and if image recipients are using an iPhone, those might automatically get synced to their cloud.

If it’s in the cloud—a public, free cloud service, especially—then chances are good that eventually it will find its way to the Internet. Cloud services are leaky by their nature; things that are supposed to be private get stored alongside things that are shared, and anything from user error to a previously undiscovered vulnerability can make even strong passwords pointless, while exposing all of those things to the world.

And what happens when a cloud store gets breached? If the one doing the breaching is never caught, the answer is “not much”—because the cloud providers are generally covered from the victims’ wrath by terms of service.

In a conversation I had on Twitter this morning with Tal Klein, the vice president of strategy for the cloud security firm Adallom, Klein said there were two things to take away from this latest breach: “1. Don't take pictures of your junk; it will end up on the Internet somehow at some point. 2. Not all security is equal. And all vendors are mostly indemnified. So use the cloud because it's great, but be cognizant of accountability.”

Ricky Gervais tweeted (and then deleted): “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude pics of yourself on your computer.” But it's a much more fundamental problem than that. It's not that it's celebrities' fault for being hacked; it's just that they should arm themselves with the knowledge that the cloud is fundamentally insecure in the future. And mobile device manufacturers and cloud providers need to make security much more transparent to users and give them more control about what stays in the cloud.

This story has been updated based on additional information emerging on the attacks, from Apple's statement, and on feedback from peers and readers for clarity.

Apple's two factor authentication does not work with all cell providers. It requires reception of a SMS code which some people are unable to receive even though they have no problem receiving similar codes from other services. Apple must be using short codes as some providers block those SMS codes.

People have to realize that *In the cloud* really does mean *it has been leaked to the Internet* and the only things protecting your data then are obscurity, encryption, and authentication.

In this case the authentication was laughably defective - we knew how to defeat (or at least seriously slow) this kind of brute force password attack 20 years ago.

The problem is that the hackers are far smarter and, crucially, *far more motivated* than the bored corporate drones who are responsible for the security, so they're going to keep outmaneuvering them like this.

I don't blame the celebrities here, because they had no idea that 'iCloud' means 'leaked to the internet'. That's Apple's fault for encouraging people to use it for everything and 'trust us, we're Apple'.

Edit: Even if it turns out to be Dropbox instead of iCloud the same thing still applies. It's out there, it's just a matter of how protected it is.

Or, as Ricky Gervais tweeted (and then deleted): “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude picks of yourself on your computer.”

Not sure why he deleted that -- that's actually some pretty good advice.

He probably thought some people would consider it insensitive, especially the victims. Since those victims are generally his colleagues, he might prefer not to unnecessarily provoke them, even if that's kinda the job description of a comedian. If he gets a film opportunity, and one of those people is in the cast, it's better for him if they're not pissed off at him.

Why would anyone in this day and age keep personal photos and videos stored in someone elses "cloud"? Hasn't anyone been reading all of the daily news stories about credit card theft, personal data theft, past hacks into other people's phones, and the like? Do you think that Apple has better security than the credit agencies do? If so you are living in a dream world.

Now you are going to tell me you aren't in the least bit curious? I won't go after those files and I don't condone hacking, but I am no saint either. If I could see any of those girls nude without harming anyone, I would.

Edit: Alright, then, I overstepped my bounds, sorry.

Just to let the mod know, you forgot a "[" to effectively hide my post above.

Oh god, I'm horrified that my first thought was "well, that will teach them not to put this on the Internet in the first place, they were asking for it".

A second later my prefrontal cortex took over and reminded my amygdala that I would see no evil in my girlfriend or myself doing exactly the same thing as these women: that's what life is about.These pictures were private, should have been protected better by the cloud services, and the celebrities only are victims in this sad story.

Two things though from the article:

Quote:

If it’s in the cloud—a public, free cloud service, especially—then chances are good that eventually it will find its way to the Internet. Cloud services are leaky by their nature—things that are supposed to be private get stored alongside things that are shared, and anything from user error to a previously undiscovered vulnerability can make even strong passwords pointless, while exposing all of those things to the world.

How does this make any sense? These services are only leaky when not securely implemented.Apple provide a service that they pretend is secure, hence they have a legal duty to make sure they are and should be held responsible for any exploitable breach in their systems.The fact that the service is free and potentially has vulnerabilities (something which could prevented to a large extend by using formal methods by the way to write all this software by the way) is irrelevant.

If I were one of these celebrities I would sue the hell out of Apple (and I'll be waiting in line for the iPhone 6 to replace my aging 4).

Also:

Quote:

“1. Don't take pictures of your junk; it will end up on the Internet somehow at some point. 2. Not all security is equal. And all vendors are mostly indemnified. So use the cloud because it's great, but be cognizant of accountability.”

That's not acceptable advice.User error aside, Internet services ought to provide as much security as one's own photo album in the library provides. Your paper photo album will not end in everyone's hands unless you voluntarily or accidentally leave it outside your home for everyone to grab and expectations that cloud service provide the same kind of security are legally perfectly reasonable.

I would understand it if he had phrased it as "do not use these services until they start using formal methods to certify against implementation defects" but that's not what he said. He suggested people voluntarily restrict their freedom because these things happen.They should not happen, a burglary is a burglary and when it happens in a place that was safeguarded by a company which guaranteed you it was 100% safe then this company is liable.

What he said is not that far from victim blaming and I can't wait for the comments who will say it explicitly...

People have to realize that *In the cloud* really does mean *it has been leaked to the Internet* and the only things protecting your data then are obscurity, encryption, and authentication.

In this case the authentication was laughably defective - we knew how to defeat (or at least seriously slow) this kind of brute force password attack 20 years ago.

The problem is that the hackers are far smarter and, crucially, *far more motivated* than the bored corporate drones who are responsible for the security, so they're going to keep outmaneuvering them like this.

I don't blame the celebrities here, because they had no idea that 'iCloud' means 'leaked to the internet'. That's Apple's fault for encouraging people to use it for everything and 'trust us, we're Apple'.

This is bullshit. Hosting files on iCloud is not equivalent to something being "leaked to the internet". iCloud data is still private. Leaking requires a decision by someone to attack and compromise an account. Apple needs to do a better job securing their infrastructure, but the blame for the leak still falls squarely on the shoulders of the leaker.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.